Which ports to open in PIX for outgoing Cisco VPN client connections ?

haseeb_eng · ‎12-08-2003

I have Cisco vpn clients behind the PIX and i want them to connect to a vpn 3005 which i behind another PIX . Can anybody tell me which ports i have to open on both the PIX firewalls ?

nihal.akbulut · ‎12-08-2003

Hi,

you have to permit esp and isakmp on pix. for example;

access-list acl-out permit esp host 99.99.99.2 host 99.99.99.12

access-list acl-out permit udp host 99.99.99.2 host 99.99.99.12 eq isakmp

for more information you can check this example;

http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml

hope this helps.

nohare · ‎12-09-2003

It depends on how you have deployed your VPN Remote Access users.

.

By default, if you enable IPSec-Over-TCP or IPSec-over-UDP, then port 10000 is used for both, these methods are Cisco Proprietary and can be changed.

.

If you use NAT-T (NAT Traversal), the Standards-based implementation, then it uses UDP-4500).

.

either way, the operation of the VPN depends on:

1) Whether these service have been enable on the VPN Concentrator

2) Enabling the relevant transport settings on the VPN Client connection Properties.

Regarding the PIX infront of the VPNC3005, you will need to allow these above ports inbound to your VPNC3005 Public interface.

Locally, it depends if you filter outbound connections through your PIX. If you don't, then the PIX will allow the connection for the VPN Client attempting to access the remote VPNC3005

jackko · ‎12-10-2003

1. esp

2. udp 50

3. udp 4500

haseeb_eng · ‎12-12-2003

thanks for your reply . Do i need to open port 500 also for ipsec ?